Advanced Authentication 6.3 Service Pack 2 includes enhancements, improves usability, and resolves several previous issues.
Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure that our products meet all your needs. You can post feedback in the Advanced Authentication forum on NetIQ Communities, our online community that also includes product information, blogs, and links to helpful resources. You can also post or vote the ideas of enhancement requests in the Ideas forum.
For more information about this release and for the latest release notes, see the Documentation Advanced Authentication NetIQ Documentation page. To download this product, see the Advanced Authentication Product website.
If you have suggestions for documentation improvements, click comment on this topic at the bottom of the specific page in the HTML version of the documentation posted at the Advanced Authentication NetIQ Documentation page.
Advanced Authentication 6.3 Service Pack 2 provides the following enhancements, and fixes in this release:
This release introduces the following features:
Advanced Authentication introduces a new authenticator Apple Touch ID. Apple Touch ID is an electronic fingerprint recognition feature available in the Mac operating system. This feature allows users to authenticate to Mac.
For more information about Apple Touch ID, see Apple Touch ID, in the Advanced Authentication- User guide.
Advanced Authentication introduces a new feature to localize error messages, method message, and prompt message displayed to an unsupported language for all the portals of Advanced Authentication, integrated third party products, and Windows Client.
For more information about custom localization for server side, see Localizing the Web UI and Messages in the Advanced Authentication - Administration guide.
For more information about the custom localization for Windows Client, see Localizing the Messages for Clients in the Advanced Authentication - Windows Client guide.
In this release, Advanced Authentication introduces a new feature to enable flexible single sign-on (SSO) to connect to RDP or Citrix ICA. When a user tries to connect to a remote machine launched via Citrix StoreFront or Microsoft Remote Desktop and the user has to enter a LDAP password as a part of the used authentication chain, the LDAP password prompt is skipped when the Flexible sign-on is enabled. The user has to authenticate using rest authentication methods of the used chain.
For more information, see Enabling Flexible Sign-on for Citrix VDI or Remote Desktop Login in the Advanced Authentication - Windows Client guide.
Advanced Authentication 6.3 Service Pack 2 includes the following enhancements:
This release includes the following Server enhancements:
Advanced Authentication allows the users to hide TOTP on rooted smartphones for OATH TOTP authenticators. This feature will be available from the following releases of mobile applications:
iOS app v3.1.10
Android app v3.1.16
For more information see, TOTP in the Advanced Authentication - Administration guide.
In the new Enrollment portal, Advanced Authentication allows a user to enroll or delete authenticators or chains that are enrolled for any event category.
Advanced Authentication improves the complexity requirements of a password when the Complexity requirements option in Password method settings is enabled. Now, the password specified by the user must meet at least three of the complexity requirements.
Advanced Authentication introduces a new enhancement in Web Authentication policy to enable the Administrator to change both Session Timeout and Authorization Code Timeout values.
For more information about the timeout settings, see Configuring Timeout in the Advanced Authentication - Administration guide.
Advanced Authentication now supports Flex OTP as a shared authenticator. Users can use shared TOTP, Smartphone OTP, and HOTP methods as Flex OTP to authenticate.
Now it is possible to use Flex OTP for authentication in SAML 2.0 and OAuth 2.0 integrations.
Advanced Authentication is now compatible to AdminByRequest. Now, login failed message is not displayed when a user tries to run a program as an administrator.
This release includes the following RADIUS enhancements:
Advanced Authentication introduces the following rules in the RADIUS event:
Input rule
Chain selection rule
Result specification rule
Now, it is possible to specify the rules not only in the RADIUS Options policy, but also per Event. For more information, see RADIUS Server in the Advanced Authentication - Administration guide.
In this release, Advanced Authentication improves Flex OTP to work in one line with LDAP Password and Password for RADIUS.
In this release, Advanced Authentication improves the error messages for RADIUS authentication for users and in logs.
Advanced Authentication 6.3 Service Pack 2 includes the following software fixes:
Advanced Authentication 6.3 Service Pack 2 includes the following Server fixes:
This release includes the following fixes:
When a user clicks the User report in the Helpdesk portal, the following message is displayed:
TypeError Object of type user is not json serializable (unknown error)
This release resolves one more issue with User report. When the proxy is configured and a user clicks the User report in the Helpdesk portal, an SSL bad handshake error message is displayed.
When the Active Directory password expired, users cannot log in SAML 2.0 and OAuth 2.0 integrations and the following message is displayed:
Your authentication password has expired.
Now, users are redirected to Self Service Password Reset to change the password.
Registration of a new site fails. This happens due to the failure of copying database from the Global Master Server to a DB Master server of a new site due to the slow and unstable network connection. Now, it is possible to deploy a new server without copying the database. Later, the Administrator can import the data manually from the .cpt file or copy through the copy-db script.
For more information, see Registering a New Site in the Advanced Authentication - Administrationguide.
When a user tries to authenticate via smartphone method, NetIQ mobile application displays the default push notification message instead of the custom push notification message that is set in Custom messages policy.
When a user tries to authenticate via smartphone authentication method after repository migration using the RepoMigration tool, the user receives the push notification without accept/decline options in it.
The web authentication session does not display the customized branding and customized messages.
While installing open VMware tools with zypper, the following error message is displayed.
Problem: nothing provides libmspack.so.0()(64bit) needed by libvmtools0-11.0.5-260.1.x86_64Solution 1: do not install open-vm-tools-11.0.5-260.1.x86_64Solution 2: break libvmtools0-11.0.5-260.1.x86_64 by ignoring some of its dependencies.
After repository agent installation, when a user tries to start up containers, container postgres:10-alpine restarts automatically. This is due to the AAF docker containers are incompatible with postgres:10-alpine.
This release includes the following fixes:
When the proxy is configured and a user tries to open the new Enrollment portal, an SSL bad handshake error message is displayed. Now, none of the internal traffic will be redirected through the proxy.
When users access the new Enrollment portal through the load balancer, the portal shows the name of the server instead of the name of the load balancer.
An 404, Object not found error message is displayed when users click the Help icon on the Enrollment portal.
When a user tries to open the new Enrollment portal in the Safari, an error message Safari Can't Open the Page is displayed.
When a user tries to enroll the U2F authenticator in the new Enrollment portal, after clicking Detect U2F Device, an error message Unknown error is displayed.
When a user tries to test the U2F authenticator in the Firefox, after clicking Test Method, an error message Bad request is displayed.
This release includes the following fixes:
When the users try to upgrade the Advanced Authentication Appliances from 6.2 to 6.3, the users not able to upgrade expected SUSE version.
It’s not possible to get the package updates during update in Configuration Portal.
When a user tries to update the Advanced Authentication Server from version 6.3 Patch Update 1 to 6.3 Service Pack 1, upgrading fails and a warning message is displayed.
This release includes the following fixes:
Advanced Authentication enhances Flex OTP to display the following message to users before they enter the OTP code in a Flex OTP authenticator chain: Please enter the OTP code. The message can be customized.
After upgrading to Advanced Authentication 6.3 Service Pack 1, RADIUS stop serving authentication requests due to the database deadlocks.
When a user tries to import the backup.cpt file from the previous versions of Advanced Authentication to Advanced Authentication Service Pack 1, it does not display the RADIUS client IP in Policies > RADIUS Options.
When a user tries to add a new radius client in Policies > RADIUS Options after upgrading to Advanced Authentication 6.3 Service Pack 1, an error message Secrets do not match is displayed.
When a user tries to authenticate using a chain of three authenticators (LDAP Password + TOTP + Smartphone), the authentication fails after successful LDAP Password authentication with the following error message:
Unhandled exception: 'dict' object has no attribute 'get_attr.
When the debug mode is enabled, RADIUS logs do not display the timestamps.
This release includes the following fixes:
In the Debug mode, the RADIUS logs display the passwords in clear text.
The user can authenticate using the Flex OTP method even after disabling Allow logon to this event by shared authenticator in the Cache Options policy. After the fix, the user cannot authenticate using Flex OTP if Allow logon to this event by shared authenticator is disabled.
In this release, Advanced Authentication upgrades the pyrad version from pyrad 2.0 to pyrad 2.1. The pyrad version upgrade resolves the vulnerability CVE-2013-0294.
The passwords of some servers in the cluster are not secure. After this fix, there will not be any unsecured passwords for any database.
Security scan report displays the TLS 1.1 instead of TLS 1.2. In this release, the Security scan report does not display any version of TLS.
This release includes the following fixes:
When a user tries to authenticate in multi-tenancy, OAuth2.0 and SAML does not work for tenants other than TOP tenants.
When the TOP tenant enforces the policies from TOP tenant to sub tenant, SMS and Email Method do not work due to insufficient input validation.
Advanced Authentication 6.3 Service Pack 2 includes the following client fixes:
This release includes the following fixes:
After upgrading to Advanced Authentication 6.3 Service Pack 1, when a user tries to authenticate to Windows Client in the offline mode, the cache does not work, and login fails.
When a user tries to connect to a remote VDI, single sign-on fails if the Citrix storefront is SAML federated to Advanced Authentication via ADFS.
When the chains are cached for offline logon, event details are missed. In this release, the details of respective events are cached for each chain.
This release resolves the following issues with chain selection:
When a user clicks the Cancel button during authentication, the user is redirected to the chains selection screen and navigation using arrow buttons does not work if the enable_last_chain_selection parameter is enabled.
When a user clicks the Cancel button during authentication, the user is redirected to the chains selection screen and hitting the Enter key to select the first chain triggers a Wrong chain error message.
The chain selection page is displayed again after successful authentication when a user tries to connect to Windows Client installed on a remote machine after rebooting.
When a user clicks the Cancel button while connecting to a Bluetooth device in Windows client, the user is redirected to the initial Username screen instead of the chain selection screen.
When the user tries to install Advanced Authentication 6.3 Service Pack 1 Device Service on Mac OS 10.13.6, the installation fails and displays the following error message:
The installer encountered an error that caused the installation to fail. Contact the software manufacture for assistance.
When a user tries to plug in the PKI token on Ubuntu, Device Service does not recognize the token until the user restarts the Device Service.
LDAP password is required for authentication when a user tries to authenticate as a domain user in offline mode.
When a user tries to log in to a domain joined Linux workstation, the login fails, and an error message is displayed.
When a user tries to authenticate via PKI authenticator, the Linux Device Service displays the following error message:
Not found: SHA256. Error code: 0.
If a user fails to bind a domain user with a local user in the Linux PAM client, domain user chains are shown to the local user when the local user tries to login.
After installing, the Authentication Agent does not start automatically.
When a user tries authentication using the Authentication Agent, it does not load the event login page in the restricted browser.
This release includes the following fixes:
When a user disconnects or log off from the VMware View or VMware Horizon remote desktop, the user is redirected to the desktop selection page instead of logging out the user from the VDA session.
When a user tries to re-register the endpoint, the following error message is displayed:
Exception: Cannot add or change the endpoint (same name or software_name already exist?).
When the user tries to re-initiate a VDA session by taping the RFID card on the reader, it takes 5-8 seconds to prompt for the second factor of authentication.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Advanced Authentication 6.3 Service Pack 2 includes the following known issue:
When a domain user tries to authenticate to Mac OS in offline mode, wrong chains are displayed for authentication as the used methods aren't cached properly in domain mode for Mac OS client.
After upgrading to Windows 10 version 2004, the Logon Filter functionality does not work properly.
You can upgrade Advanced Authentication 6.3 or 6.3 Service Pack 1 to 6.3 Service Pack 2.
For more information about upgrading from 6.2, see Upgrading Advanced Authentication
in the Advanced Authentication- Server Installation and Upgrade guide.
NOTE:The recommended upgrade sequence is the upgrade of Advanced Authentication servers, followed by plug-ins and Client components. Any change in the upgrade sequence is not supported.
NOTE:It’s required to re-bind a domain user to a local user after upgrade of Linux PAM Client to 6.3 Service Pack 2 on CentOS and RHEL in case when a non-domain mode is used.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see http://www.microfocus.com/about/legal/.
© Copyright 2020 NetIQ Corporation, a Micro Focus company. All Rights Reserved.